Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

authorization flow broken #63

Closed
gamemachine opened this issue Mar 7, 2012 · 4 comments
Closed

authorization flow broken #63

gamemachine opened this issue Mar 7, 2012 · 4 comments
Labels
Enhancement

Comments

@gamemachine
Copy link

For most use cases, especially when connecting to any api's, the current flow for authentication is unusable.

Netty and Grizzly adapters do not provide a way to get at the www-authenticate header or otherwise cache auth credentials. That's pretty much a requirement for any high volume traffic using auth.

If you do not have a realm set, netty will create one for you and use it. This makes no sense as its' guaranteed to fail.

In grizzly, if you do not have a realm set, grizzly will just abort. This is also bad because now you have to wait for the future to timeout. In most cases you want to immediately re-send the request with the authorization header, not wait on a timeout.

The correct long term solution IMO is as follows:

If the user doesn't set a realm, don't do anything additional for 401's.

Have a flag to cache the authorization, and an optional expiration on the cache.

A short term solution is to be able to disable 401 handling by the client. That way it's possible to still use AHC while it's auth support is being fixed.
@jfarcand
Copy link
Contributor

jfarcand commented Mar 7, 2012

Looking...thanks!

rlubke added a commit that referenced this issue Mar 7, 2012
@rlubke
Incremental fix for #63. Ensure Grizzly provider doesn't cause a time…
fda1596 
…out when dealing with an authorization response with no provided realm.
@jfarcand
Copy link
Contributor

OK, after looking, you can implement what you call 'short term' solution as a ResponseFilter. For the long-term solution, any contribution is welcomed! I will keep the issue opened and will see what can be done for 1.8.0.

@figroc
Copy link
Contributor

figroc commented Jul 23, 2012

NettyAsyncHttpProvider does not support authorization customization (I need to implement HTTP-MAC). Every time 401 response returned, Netty takes the control and replays the request with invalid credential. As previous version, Netty supported this kind of customization. Why did you guys remove this feature? The fix is just trival :

                if (statusCode == 401
                        && wwwAuth.size() > 0
      +++++       && realm != null 
                        && !future.getAndSetAuth(true)) {

@slandelle
Copy link
Contributor

Looks like the && realm != null test has been brought back a long time ago: https://github.com/AsyncHttpClient/async-http-client/blob/async-http-client-1.7.24/src/main/java/com/ning/http/client/providers/netty/NettyAsyncHttpProvider.java#L2101

Considering as fixed, please notify otherwise.

cs-workco pushed a commit to cs-workco/async-http-client that referenced this issue Apr 13, 2023
@weissi @artemredkin
readme: don't recommend depending on master branch (AsyncHttpClient#63)
8fa6c6f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jfarcand @gamemachine @slandelle @figroc